Microsoft gets control of zombie domain, warns about malware “in the supply chain”

Microsoft has announced, with perfectly rightful excitement, that a court in Virginia, USA, has given it control over the domain 3322 dot org.

This is one of the most prevalent call-home locations used by malware in the Nitol family, many variants of which are pre-programmed to contact web addresses in the 3322 dot org domain.

Bot-infected PCs, or zombies, call home – often by using an innocent-looking HTTP web request to a so-called command and control server – to fetch instructions from the crooks on what to do next.

Bots can come pre-programmed to do a wide range of malevolent tasks – sending spam, stealing passwords and attacking other computers, for example – but almost all bots also include a totally generic “download and run” function. So, bots can be commanded to update themselves, to fetch and run additional malware, and even to downgrade existing system software. Anything, indeed, that the crook wants.

That’s one reason why it’s rarely possible, these days, to answer the question, “What does malware X do, exactly?” The problem is not what it does today, but what it might be doing tomorrow, or the day after.

Putting Microsoft in control of the 3322 dot org domain isn’t going to save the world. But it is going to disrupt the control that the crooks currently enjoy over many already-infected PCs, as well as giving some useful intelligence and insight into the Nitol zombie networks. That will probably be handy for law enforcement operations in the future.

SophosLabs figures only serve to reinforce Microsoft’s already-worrying observations of the scale of the Nitol botnet operation: we’ve seen tens of thousands of Nitol variants so far this year, calling home to a dizzying array of different URLs.

Building a word cloud from just the first 1000 call-home URLs from our zoo of Nitol variants shows an intriguing variety – from developmenter and centralserver to kiss360 and fuwuqihacker. The names would bring a smile to your lips, were it not for the fact that they represent a veritable web of cybercriminality.

Microsoft is also calling attention to the fact that its researchers found Nitol malware being distributed in what it calls “the supply chain”. (By this, Microsoft means, “We bought a bunch of brand new PCs in China and the malware was already installed.” In fact, the company has drawn a bit of a long bow in this case – Nitol was on just one computer out of the 20 purchased by its field agents.)

Let that be a reminder: a new digital device is only new to you!

Over the years, we’ve reported on a wide variety of pre-infected hardware, including:

* Aldi shipping malware on removable disk drives.

* IBM giving out infected USB keys (at a security conference, no less).

* Olympus shipping malware on cameras.

* Samsung issuing pre-infected mobile phones.

* Best Buy selling malware-tainted digital picture frames.

* Aldi, again, with a long-believed-extinct virus on pre-built PCs.

All those incidents almost certainly involved incompetence and error, and for all we know, the infection on the PC bought by Microsoft might have a similar explanation.

But now add cybercriminality, and the ease of deliberate infection anywhere between the factory and the purchaser, into the mix. Let me repeat what I said above: “A new digital device is only new to you.”

It’s painful to do, but always scan new devices for malware before you put them into use. Or wipe and reformat them if you bought them only for storage purposes.

Sophos Anti-Virus on all platforms detects and blocks Nitol malware under a variety of names, including:

* Mal/Nitol-A to Mal/Nitol-C.

* Troj/Nitol-C to Troj/Nitol-G.

* Troj/Nitol-Gen.